Two weeks ago, Facebook announced that a flaw with its “View As” feature allowed hackers to compromise up to 50 million accounts. Today, the company is out with more specific details on the security breach and has shared exactly what information was stolen and for how many users.
In a newsroom post today, Facebook’s VP of product management, Guy Rosen, detailed what it has found in the investigation of the attack. While it has confirmed that about 30 million of the previously estimated 50 million users have had information compromised, it also says that more attacks may have taken place.
We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate.
The vulnerability that was used in the attacks existed for over a year, from July 2017 to September 2018. Here’s how the hackers exploited the flaw:
First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.
Using those access tokens, the attackers were able to gain access to personal information for roughly 30 million users. About half had their name, contact details including phone number and email exposed, while the other half had detailed information including birthdate, current city, and location data comprised.
The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
Facebook says users can find out if they were victims of this attack by heading to its Help Center. Facebook is also going to reach out to all affected users and explain what information was compromised.
In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.
Facebook also shared that it is working with the FBI, US FTC and other officials to figure out who was behind this attack and other potential hacks that have yet to be revealed.